by Lane F. Cooper - Originally published in issue 2 of (IN)SECURE Magazine
- Tuesday, 30 August 2005.
Thomson Financial Chief Information Security Officer (CISO) Tim Mathias explains, “In 2004, our technical operations organization adopted ITIL [the IT Infrastructure Library] to develop a long term strategy for providing IT services. We embraced an IT service management model that is a top-down, business-driven approach to the management of IT that specifically addresses the strategic business value generated by the IT organization and the need to deliver a high quality IT service. We immediately recognized that security management touches a number of the high level processes including infrastructure and application management, service delivery and service support. So we have integrated our security operations into this service management paradigm.”
According to PatchLink’s Moshir, an effective strategic response to these threats must consist of four basic elements. It must be:
Enterprise-wide. Security efforts must be fully integrated throughout the entire enterprise - and in some cases the extended enterprise - so that threats can be addressed in a unified manner. In its most simple sense, once a threat has been dealt with, the entire organization should be prepared to address it should it manifest itself again anywhere else within the domain.Fully Automated and Integrated. Given the rapid pace of new threats and vulnerabilities, there is no room for a manual response. Security systems must be able to behave in an integrated manner. This means that perimeter security must be linked to intrusion detection systems, and that vulnerability assessment activities must be linked to remediation, and so on and so forth.Dynamic. Information security should be seen as a business process - or better yet: as an integral part of all business processes. As such it is not an event that can be installed and forgotten. Technology, people and evolving best processes must be constantly developed, tested, deployed and re-evaluated.Visible, Measurable and Standardized. There should be nothing mysterious about the security strategy. It should be easy for non-technical executives to understand. The data gathered by sensors and reporting tools should be presented in ways that are meaningful to the users who must make decisions based on that information. And the data must be standardized so that information from one security system makes sense to the rest of the organization.
Moshir emphatically states, “From a management standpoint, there must clarity and transparency within and between all security systems. After all you cannot effectively manage what you cannot see.”
Lane is the founder and director of Cooper Research Associates. He has over 15 years of experience as a reporter and editor analyzing the business and technology industry. Lane also broadcast The Washington News Bureau Technology Minute for WTOP radio, the top rated news and information station in the Washington Metropolitan area.